Windows XP: Feds Brace For End Of Support

Roughly one in ten US government PCs still use Windows XP. They will be more vulnerable to attacks when XP support ends on April 8.

6 Cool Apps From Uncle Sam

(Click the image for a larger view and slideshow.)

As Microsoft's April 8 deadline approaches for ending support of its Windows XP operating system, one of its largest group of users, the federal government, appears behind schedule in making the transition to new operating systems, leaving an estimated 10% of federal desktop computers more vulnerable to attacks. After that date, government computers using the operating system will continue to function, but they will become "five times more vulnerable to security risks and viruses," even if anti-virus software is in place, Microsoft said on its website.

Since 2007, when Microsoft announced its intentions to stop supporting XP, the company has worked with the federal government to check its progress, eventually on a monthly basis, and identify issues that may cause a delay in deployments of newer operating systems. Most agencies have moved from XP to the latest versions of Windows, and more than 90% of them are expected to have made the transition by April, Susie Adams, chief technology officer for Microsoft Federal, said in an email to InformationWeek.

That's better than the market at large: As of last month, more than 29% of the desktop market, or roughly a half-a-billion active users worldwide, still use XP, according to Web-tracking firm Net Applications.

"We see significant momentum in agencies moving to Windows 7 and Windows 8.1 across the federal government," said Adams. "The same holds true for agencies moving to a cloud-based productivity suite with Office 365. The vast majority of cabinet-level agencies are moving or have moved to Office 365 in whole or in part." It's less clear how many agencies are replacing desktops with tablets that use Android or Apple's iOS operating systems.

The remaining 10% still relying on Windows XP, in part to sustain various legacy applications, will no longer get security updates or technical support for the outdated operating system. Even the National Institute of Standards and Technology, which published the "Guide to Securing Microsoft Windows XP Systems for IT Professionals" for federal agencies, issued its last update in October 2008.

Those agencies that haven't made the switch will be susceptible to attacks by hackers looking for new flaws in the unpatched machines. These include thousands of computers on classified military and diplomatic networks that hold sensitive information, according to the Washington Post.

Organizations that will experience problems once Microsoft stops releasing patches for Windows XP fall into two categories. There are those with computers that are part of larger systems, performing specialized tasks with certain control components on Windows XP. Owners of those systems won't be able to upgrade, although this situation for the most part won't apply to government agencies, Dave Frymier, chief information security officer at Unisys, said in an interview.

Federal agencies fall into the second category: organizations with numerous Windows XP workstations that haven't been upgraded for budgetary reasons, and continue to run XP because newer operating systems won't work on the antiquated hardware they have.

"We've talked to organizations that have thousands of these workstations, and the magnitude of this problem is large," said Frymier. "The longer a Windows XP machine sits there unpatched, the more vulnerable it will become to zero-day attacks that exploit an unknown vulnerability. It's been speculated that there are thousands of zero-day attacks against Windows XP."

There is also the issue of long-term support. Eventually, new hardware and software will stop working on the old operating system. As manufacturers switch to newer versions of Windows, many devices such as cameras and printers won't be compatible with Windows XP, according to Microsoft.

If CIOs cannot afford to pay for a refresh, the best alternative is segregating the XP systems into their own environment, Frymier said. They will have to replicate parts of their infrastructure, such as domain controllers, printers, and DNS servers -- a process that varies in difficulty. One way to compartmentalize an XP environment is by using network technologies like firewalls, switches, and routers.

The other alternative is isolating applications so that only authorized users can see and access the data in these applications. Unisys offers a software-based product called Stealth Solution Suite, which allows multiple user groups to share the same IT infrastructure in a secure way. Unisys launched a mobile version of the product in October.

Frymier said organizations should take Microsoft's warnings to upgrade to newer operating systems seriously. He said, "I think the Windows XP event could possibly be what Y2K wasn't."

What do Uber, Bank of America, and Walgreens have to do with your mobile app strategy? Find out in the new Maximizing Mobility issue of InformationWeek Tech Digest.

Elena Malykhina began her career at The Wall Street Journal, and her writing has appeared in various news media outlets, including Scientific American, Newsday, and the Associated Press. For several years, she was the online editor at Brandweek and later Adweek, where she ... View Full Bio

I was reminded by a CISO today that XP is still widely used in networks that, for instance, are simply used to manage surveillance camera systems, and that don't go through the same refreshes that desktops go through.

Whoopty, I think there is more reason to fear than you suggest, especially those in offices. If the Target data breach teaches us anything, its that the defenses of enterprises handling millions of valuable records are only as good as their weakest links. While a worker can say, "Hey, it's the company's/agency's machine," the fact remains, those machines still using XP will now become an open invitation to hackers. I'm willing to bet the damage and/or cost of mitigation that will arise from hackers exploiting XP machinces will exceed what it would have cost to upgrade to Windows 7.

I think the days of the general public being "scared" of computers and what they can do died after the Y2K non-event. While they should still be wary, I think you're unlikely to find any real fear surrounding the Xp switchoff, because those that use it privately can upgrade without too much difficulty - for the most part - and those in offices, well it's not there machine is it?

Given the shift to more risk-based security practices, one would think that the XP problem would have gotten the kind of attention Y2K generated, and agencies would have found the money. But unfortunatley, internal politics surrounding key agency programs, and their funding, often wins out over the legitimate cries from the IT department.

Procrastination, or the effect of budget cuts? XP is HOW old? Do you think IT specialists in civil service haven't been begging for money for upgrades for years? As long as no one wants to pay taxes, or fund the government, of course it will not perform to expectations. Chalk it up to the "deferred maintenance" aka "I left my check book in my car, I'll be back in a few minutes" policies demanded by certain crowds.

It seems illogical that agencies would take the risks of not switching off XP. But when managers are being told there's no money for equipment/software upgrades, all IT can do is say I told you so when the hackers get through.

To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.

IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.

Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."